Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

ES v8.x on cloud Investigations API

SOClife
Engager
‎03-31-2025 02:14 PM

All,

We are investigating a move from v7 to v8.    We currently rely heavily on the Investigation API  however per the documentation it is no longer available in v8.  The v8 API also seems to be missing a get call for notable_events.  


Is there another way in the API that we can pull details on the enterprise security events, investigations and assets for v8 or do we need to hold off on upgrading while the product matures? 

Tags (2)
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎04-01-2025 07:35 AM

Hi @SOClife 

The only documented APIs for ES8 specifically are at https://docs.splunk.com/Documentation/ES/8.0.2/API/AboutSplunkESAPI and as you say, the investigation API isnt listed in here.

However - I believe some of the investigation endpoints you are looking for are actually now under the Mission Control app (See the MC APIs at https://docs.splunk.com/Documentation/MC/Current/SplunkPlaybookAPI)

If you view an investigation in the UI with the Network tab of the browser developer tools open then you will see API calls to <yourEnv>/en-US/splunkd/__raw/servicesNS/nobody/missioncontrol/v2/investigations/<GUID>/findings (for example!) - some of these map to the documented MC APIs, however I couldnt find all of them in there. Its worth capturing the payload and responses to determine what you need from them. 

As another example, loading the Incident Review in the UI loads some MC V1 API calls such as the notes endpoint.

In addition to the API calls, if you're extracting information about incidents/investigations then you may be able to perform standard SPL searches using the REST API,

| mcincidents < This will return a list of incidents within the timeframe searched
| mcincidentbyid id=ES-00001 < Return a single incident details, pass display_id or id (guid)

 

🌟 Did this answer help you? If so, please consider:

    • Adding kudos to show it was useful
    • Marking it as the solution if it resolved your issue
    • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing.

Reply

SOClife
Engager
‎04-01-2025 01:40 PM

Thanks @livehybrid  this is promising. Do you happen to know a search command that would give information on the artifacts associated with an incident?

0 Karma
Reply

kiran_panchavat
Champion
‎04-01-2025 03:58 AM

@SOClife 

If your operations heavily depend on the Investigation API’s simplicity and no workaround (e.g., REST searches) is feasible within your timeline, sticking with v7.x until v8.x matures. 
 
There are no APIs available:-
Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey


Introducing Unified TDIR with the New Enterprise Security 8.2

Read the blog

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...